Phish in troubled waters
16th October 2006 (Computimes)
By Rozana Sani

EFFORTS to combat phishing attacks that threaten to cripple the local online banking industry are making good progress. The Malaysian Cyber Security Centre (MCSC), which is working closely with the regulator, Internet service providers and Computer Emergency Response Teams (CERTs) - both locally and overseas - have reported some success in bringing down a number of phishing sites hosted across borders.

According to Lieutenant Colonel Husin Jazri of MCSC, the team have been able to bring down phishing sites within several hours, which is commendable.

He said the Malaysian CERT (MyCERT), which is a unit within MCSC, has been closely monitoring phishing activities in the country and even issued an advisory on possible phishing attacks on Internet banking users last month.

Their findings showed that 85 per cent of the phishing sites imitating local banks and other e-commerce Web sites reported were hosted overseas; those hosted in Malaysia mostly involved foreign banks.

"Through our interactions with other National Computer Emergency Response Teams in Australia, Japan and other countries, we are seeing that some cases involving large online payment gateways may involve organised groups with collaboration between spammers and hackers. For smaller-scale targets, they usually involve local players.

"Most of the banks targeted are not only in Malaysia; similar problems are faced in Europe and other countries," Husin told Tech&U last week.

Husin acknowledged that the battle against phishing is far from over, but advised users not to be overly alarmed, saying that the problem is global and cases in Malaysia are relatively low compared to advanced countries.

As of last month, MCSC has received a total of 159 phishing reports. It received 132 reports last year and 92 reports in the year before.

"There is no specific bank targeted. Basically, any bank providing Internet banking would be a target. We believe that the financial sector is aware and putting various measures to curb this activity," Husin said.

On why phishing is becoming more rampant, Husin said this is so because of the possibility of identity theft.

"Measures to enhance the authentication level such as using two factor authentication, 'what you have' (such as MyKad) combined with 'what you know' (such as password), can reduce the possibility of identity theft.

"Internet banking users also need to be educated that their banking information should be kept private and confidential despite the many attempts by fraudsters to steal or obtain the information from them."

What's important at this point, Husin advised, is for users to be aware of such threats and to be cautious.

"Consumers should not just follow the Internet links provided in e-mail without due diligence. They should retype the URL (uniform resource locator) or use their normal browser bookmarks to access the banking sites. The banks are also providing information on their Web sites to educate users and inform them of the latest phishing scams.

"Consumers should immediately report to the banks or MCSC upon receipt of potential scam e-mail. Internet banking login ID and passwords should be kept private and confidential at all times."